ECDPM privacy policy

Your privacy is important to us. In this policy we set out how ECDPM collects, uses, processes and protects the data that you provide to us.

We encourage you to read the policy carefully to understand our practices regarding your personal data.

We will update our privacy policy from time to time. The latest version of our privacy policy can always be found on this page. As of 25 May 2018, we will keep track of the changes we make. These can be found in section 14 of our privacy policy.

If you have any questions or comments regarding our privacy policy, please contact privacy@ecdpm.org.

1. Who are we?

The European Centre for Development Policy Management (ECDPM) is a leading independent think tank that wants to make policies in Europe and Africa work for inclusive and sustainable development. We have two offices – in Maastricht, the Netherlands and in Brussels, Belgium.

3. Who deals with our data and privacy matters?

Some organisations and companies are required to appoint a Data Protection Officer. We are not. Instead, we put together a special team dealing with privacy issues. That team includes representatives from several ECDPM departments: ICT, finance, operations, human resources, communications, management and learning and quality support.

You can reach the team at privacy@ecdpm.org. Our main contact person is Asnath Kersten. She can be reached by telephone at +31 (043) 3502924 or +31 (0)6 51715929.

4. What data do we collect, and why? Where do we store it, and for how long? And who has access?

We may collect and process the following data about you:

A. Information that you provide by filling in forms on our website (www.ecdpm.org)

When you subscribe to one or more of our newsletters, we ask you for your email address and name, which we will use to contact you and to personalise our newsletters. We also ask you for your organisation name, the sector you work in and the global region you come from. This information helps us identify who our audience is broadly and deliver a better service.

After you have subscribed, you will receive an email asking you to confirm your subscription. We will store your personal data in our external email database, which is only accessible by our communications and ICT departments. Your data will be saved for a maximum period of twenty years; after that your data will be permanently deleted from our system.

We lawfully process this information on the basis of consent and performance of contract; meaning you have given us permission to process this data and you have requested a service which we deliver to you. In addition, we process your information on the basis of legitimate interests pursued by ECDPM (personalisation and general audience analysis help us deliver a better service).

When you leave a comment on one of our blogs or papers, we ask you for you name and email address. Your name will be publicly visible after you commented, but your email address will not be published. We will use your email address to notify you of follow-up comments, should you wish to receive those. When follow-up from our staff is required, we may contact you via email directly.

We may use the content of your comments in internal reports and reports to our funders, to meet our contractual reporting obligations. We do that to indicate the level of engagement or discussion that our blogs or publications stimulated, which serves as an impact measurement of our work. We will pseudonymise to the maximum possible extent, meaning we will never include your name and email address in those reports; only your message.

Your comments, name and email address are stored in our website content management system, which is only accessible by our communications and ICT teams. Our website developers also have access to that system, but we require that they comply strictly with our policy and prohibit the use of your personal information for their own business purposes.

We may also store the content of your comment in our internal reporting systems, which is accessible to all ECDPM staff. Your data will be saved for a maximum period of ten years; after that your data will be permanently deleted from our systems.

We lawfully process this information on the basis of consent (you agree to submitting a comment) and legitimate interests pursued by ECDPM (impact measurement needed for reporting to our funders).

When you register to one of our events, we ask you for your email address and name, which we will use to identify you during the event and to send you any relevant updates before or after the event. We may also ask you for your organisation name, the sector you work in and the global region you come from. This information helps us identify who our audience is broadly and deliver a better and more personalised service.

We may share an indication of the people who participated with our funders to meet our contractual reporting obligations. This helps us indicate the level of participation from several groups, needed to determine the success of our events. We will pseudonymise to the maximum possible extent, meaning we will not include your name or other personal data that may identify you, but rather give an indication of the level of attendance from certain organisations and areas of expertise.

We will store your information on our cloud storage and potentially our internal reporting system, both of which are accessible only by ECDPM staff. Your registration details will be saved until 30 days after the event and will then be permanently deleted from our systems. Information giving an indication of the level of attendance may be saved for a maximum period of ten years; after that your data will be permanently deleted from our systems.

We lawfully process this information on the basis of consent and performance of contract; meaning you have given us permission to process this data and you have requested a service which we deliver to you. In addition, we process your information on the basis of legitimate interests pursued by ECDPM (general audience analysis and impact measurement needed for donor reporting).

When you fill out a feedback survey, we may ask you for an indication about the sector you work in, the type of organisation you work for and the global region you come from. We ask for that information to be able to broadly analyse the feedback and the audience who participated in the survey. Our surveys are always anonymous; we will not record your IP-address, e-mail address or name. However, your feedback may include details that make it possible for us to identify you.

We may share the results of feedback surveys with our funders to meet our contractual reporting obligations. Feedback helps us determine the success of our work or point to areas for improvement. We will store your information on our cloud storage and potentially our internal reporting system, both of which are accessible only by ECDPM staff, for a maximum period of five years.

We lawfully process this information on the basis of consent; meaning you have given us permission to process this data by participating in the survey. In addition, we process your information on the basis of legitimate interests pursued by ECDPM (feedback collection and impact measurement needed for donor reporting).

When you send us an open application via our website, we ask you for the following personal information: name; date and place of birth; email address; phone number; your areas of interest; your position of interest; your availability; your employment history; your qualifications; and your motivation to work at ECDPM. You may also chose to submit additional information, such as a CV or a photo.

We will store this information on a confidential section of our cloud storage, which is only accessible by our human resources and ICT departments. They may forward your information to other ECDPM colleagues in case a relevant position opens up.We will store your information for one year. We are often looking for policy staff with very specific areas of expertise, but no position may be open at the time of application. After one year, your data will be permanently deleted from our system.

We lawfully process this information on the basis of consent (by agreeing to submitting your application) and steps needed for potentially entering into a contract with ECDPM, at your request.

B. If you apply to any of our vacancies, we will store your personal details and CV

If you apply to a job position at ECDPM, we ask you for the following personal information: name; date and place of birth; email address; phone number; your areas of interest; your position of interest; your availability; your employment history; your qualifications; contact details of your references; your motivation to work at ECDPM; and your CV. You may also chose to submit additional information, such as a photo or examples of your work.

We will store this information on a confidential section of our cloud storage, which is only accessible by our human resources and ICT departments, as well as members from the department which is hiring a new colleague.

After the vacancy has closed, we will keep your information in our system for one year. We are often looking for policy staff with very specific areas of expertise, and another relevant position may open up at a later point in time. After one year, your data will be permanently deleted from our system. If you wish that we do not keep your details after the vacancy deadline has passed, you may indicate this in your application.

We lawfully process this information on the basis of consent (by agreeing to submitting your application) and steps needed for potentially entering into a contract with ECDPM, at your request.

C. If you contact us, we may keep a record of that correspondence

If you contact ECDPM or our staff members via email or phone, we may keep a record of your correspondence in our mail inbox and we may collect your name, phone number, organisation name and email address to ensure we can follow up on your request.We will keep a record of your correspondence in our email inbox for as long that particular email account exists. Our staff may need to keep records of past correspondence for effective communication. If you provide feedback about our work or staff in your correspondence, we may use that for internal reports or reports to funders, to meet our contractual reporting obligations. Feedback helps us determine the success of our work or point to areas for improvement. We will pseudonymise that feedback and will never use your name or other personal data that may identify you – unless you’ve given explicit permission. We will store feedback in our internal reporting system for a maximum period of five years.

We lawfully process this information on the basis of consent (you have contacted us), performance of contract (we may have to respond to a request made by you) and legitimate interests pursued by ECDPM (feedback collection and impact measurement needed for donor reporting).

D. During events, we may take notes for internal purposes

If you speak during events we organise or attend; or if you interact with our staff members during these events, we may take notes that include your name, organisation name and discussion points or feedback for internal reporting purposes.

We make notes to report back on the meetings we organise or attend, to gather feedback on or interest in our work, or to capture suggestions for improvement. It helps us analyse policy discussions, which is essential for our work; and what we do well and what we can do better.

That information may be stored in our internal reporting system, which can be accessed by ECDPM staff only. Under no circumstances will we share this information with our funders or other parties, not even in anonymised or pseudonymised format. The data we store in our reporting system will be saved for a maximum period of twenty years.

We lawfully process that information on the basis of legitimate interests pursued by ECDPM (feedback collection and analysis of policy discussions needed to perform our jobs).

E. We may store your business contact details in our contact database, provided you give explicit permission for that

If you have been in touch with or provide your business card to our staff members, we may contact you via email to ask for your permission to store your business contact details in our contact database.

Our contact database helps us store all business-related contact details of people in our network in one place. It is basically like a phonebook, which can be consulted by our staff members if they need the contact details of a specific member of our network. We also use the database to send invitation for events or specific publications to targeted groups.

We ask you for your email address, title, name, address and telephone number be able to identify and contact you. Not all of these details are required. You may also add your organisation, function, department and sector. These details help our staff members identify the right person for projects or events. Additionally, your organisation name, sector and country help us identify broadly which people belong to our network.

That database is accessible to all ECDPM staff members. The data we store in our contact database will be saved for a maximum period of twenty years; after that your data will be permanently deleted from our system.

We lawfully process this information on the basis of consent; meaning we only include your details in our database if you give us permission for that. In addition, we process your information on the basis of legitimate interests pursued by ECDPM (general network analysis help us deliver a better service).

F. We may store personal information when conducting interviews

When you take part in an interview we are conducting for a study, we may record your personal data. Those data may may include your name, email address, phone number, organisation name, job function and the country and global region you come from or work in, alongside the notes of your interview. The exact personal data we collect may depend on the specific study, but before you take part in an interview, we will clearly communicate to you which data we collect.

We may use parts of your interview in our studies, to be able to answer our research question. We will pseudonymise your answers and will never use your name or other personal information that may identify you.

We will store your information on our cloud storage, which is accessible by all (or a selected group of) ECDPM staff, for a maximum period of ten years. After that period, your details will be permanently deleted from our system. The studies we publish online cannot be deleted.

We lawfully process this information on the basis of consent; meaning you have given us permission to process this data by participating in the interview. In addition, we process your information on the basis of legitimate interests pursued by ECDPM (using parts of your interview in our studies to answer our research question).

G. We track which parts of our website you visit and the resources you access

When you visit our website, our analytics system may collect information about your device, operating system, browser type, language and location. The first time you visit our website you will be asked to accept or refuse cookies. Cookies allow our analytics system to identify your computer as you view different pages on our website. They also allow our system to see how many people use the website and what pages they visit.

This is statistical data about our website visitors’ browsing actions and patterns when using our site, and does not identify any individual. It helps us identify who our audience is broadly and deliver a better and more personalised service. Our system can see your IP-address to be able to collect information, but masks your address for us. That means that we cannot see or retrieve your IP-address.This information is stored in our analytics system for a maximum period of 50 months. This system is only accessible by our ICT and communications departments. We may extract reports from that system which we will store on our internal cloud storage, accessible to all ECDPM staff, for a maximum period of five years.

We lawfully process this information on the basis of consent (by accepting cookies) and legitimate interests pursued by ECDPM (general audience analysis).

H. We may store messages or interactions addressed to us from your social media accounts

If you follow us on social media (Facebook, Twitter, YouTube and LinkedIn), we may collect statistical information about your age, country, language, gender or any other publicly available information from your profile. That data collection does not identify any individual. This information helps us broadly identify our audience and deliver a better and more personalised service.

This information is stored on our social media accounts, which are only accessible to our ICT and communications departments. We may extract reports which we will store on our our internal cloud storage, accessible by all ECDPM staff, for a maximum period of five years.

We lawfully process this information on the basis of consent (by agreeing to Facebook, Twitter, YouTube and LinkedIn policies and by choosing to follow our accounts) and on the basis of legitimate interests pursued by ECDPM (general audience analysis).

If you interact with us or our staff members on social media, we may use your interactions in internal reports and reports to our funders, to meet our contractual reporting obligations. We do that to indicate the level of engagement or discussion that our blogs or publications stimulated, which serves as an impact measurement of our work to indicate the level of engagement or discussion that our posts or work stimulated. We will pseudonymise to the maximum possible extent, meaning we will not include your name or other personal data that may identify you.

This information is stored on our, or our staff members’, social media accounts, which are only accessible to our ICT and communications departments or to individual staff members. We may extract reports which we will store on our our internal cloud storage, accessible by all ECDPM staff, for a maximum period of five years.

We lawfully process this information on the basis of consent (by agreeing to Facebook, Twitter, YouTube and LinkedIn policies and by choosing to follow our accounts) and on the basis of legitimate interests pursued by ECDPM (general audience analysis and impact measurement needed for donor reporting).

I. If you are a journalist, we may send you press releases or invitations

If you are a journalist, we may send you press releases or invitations. To be able to do that, we may collect your email address, name and organisation.We legally process this information on the basis of legitimate interest pursued by ECDPM and journalists: meaning we are interested in getting some of our work to the media for maximum outreach and journalists may want to be informed about big studies or events for professional purposes.

J. ECDPM Dgroups

ECDPM is the owner of three discussion groups on Dgroups – a platform for groups and communities in international development. If you subscribe to one of these discussion groups, we ask you for your name, email address and country. You may also choose to indicate your job function, your biography and professional experience.

The discussion groups are closed and only the administrators (several ECDPM staff members and Dgroups representatives) can see the personal details of the full member list. However, if you post a message to the group, every group member will be able to see your message and your personal details either on the discussion group site, or in their inbox. Dgroups administrators will not share your information with any other party. We cannot be held liable for actions taken by individual members.

We lawfully process this information on the basis of consent and performance of contract; meaning you have given us permission to process this data and you have requested a service which we deliver to you.

We are currently not aware about the retention time of information on Dgroups, but expect more clarity on this soon.K. European Think Tanks Group

ECDPM is a member of the European Think Tanks Group (ETTG), which in addition to us includes the German Development Institute (DIE), the Institute of International Affairs (IAI), the Institute for Sustainable Development and International Relations (IDDRI), and the Overseas Development Institute (ODI).

The European Think Tanks Group may store or process your personal data when you visit the groups’ website, follow it on social media or have subscribed to its newsletter. For more information, we ask you to read the European Think Tanks Group privacy statement, which will soon be available at ettg.eu.
Collection, storage and processing of personal data of our staff members, partners and third parties is outlined in our contracts.

5. How do we secure your personal data?

In section 4 of our privacy policy we outline the places where we store your data and who has access. In all those cases, we take great care in holding your information securely.

Our contact database is stored on-premise where business security measures, on-site and off-site encrypted backups and internal guidelines for staff are in place to protect your data.

Other data that we collect from you may be transferred to and stored in external systems, some of which are outside the European Economic Area (EEA). Examples are our email database, our social media platforms, our website content management system and our shared cloud storage. These are all GDPR-compliant. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps necessary to ensure that your data is treated securely and in accordance with this privacy policy.

Please note that transmission of information via the internet is never completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to the sites where we host your data – so any transmission is at your own risk. Once we have received your information, strict procedures and security features are in place to prevent unauthorised access.

6. Will you share my information with other parties?

In principle not. We do not share your personal information with our partners, funders or third parties – unless we have your explicit permission or disclosure is required by law.

We may share pseudonymised messages or feedback that was given by you in reports to our funders (see section 4 for more information). We do that to indicate the level of engagement or discussion that publications or events stimulated – which is necessary to be able to show the impact of our work. We will never include your name or any other personal details in those messages or feedback.

In some cases, we may use third parties to process your information. On these occasions, we will require that these third parties comply strictly with our policy and will prohibit the use of your personal information for their own business purposes.

7. Can you check if we hold any information on you?

8. Can you get a copy of the information we hold on you?

Yes, you can. You can request access to the information we hold on you by emailing privacy@ecdpm.org. We will then submit a full copy of your details to the email address you provide to us within 30 days after your request. You may also ask us to send a copy of those details to another party. In both cases, no fees will be charged to you.

If you are subscribed to one or more of our newsletters, you can view your subscription details by clicking the link at the bottom of any of the newsletter issues you have received from us.

9. Can we change or update your information?

10. Can we remove your data from our systems?

Yes, you have the right to be removed from our data systems – unless we are required by law to keep some of your data. For example: we may be legally obliged to keep personal data relating to tax matters.

If you want to be removed from our systems, please contact us at privacy@ecdpm.org. We will answer your request for removal within 30 days after you have contacted us.

Please note that we will take utmost care of deleting your details everywhere, but that we may need to keep some of your data in (parts of) our systems if we are legally obliged to or if other legal grounds apply, such as legitimate interests.

13. What are data breaches, and how do we deal with them?

A data breach is an incident where the confidentiality, integrity or availability of personal data has or may have been compromised. For example: a device that contains personal data is lost or stolen; an unauthorised party has access to the personal data we store; or personal data we store is shared or made public without explicit permission.

If we encounter a data breach on our end that poses a risk to the personal data we store, we must notify the Dutch Data Protection Authority within 72 hours of becoming aware of the data breach.

In case the data breach poses a serious threat to the safety of your personal data, we will notify you too – provided the contact details we hold on you are correct and up-to-date.

15. What about links to and from our site?

On our website (www.ecdpm.org) you may find links to other websites, or you may have been referred to our website via another website.

Please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. We recommend you to check the privacy policies of these website before you submit any personal data on those websites.